U.S. Privacy and Data Protection | Insights | Apr. 2024 (Federal Law)

U.S. Privacy and Data Protection | Insights | Apr. 2024 (Federal Law)

A draft of the American Privacy Rights Act of 2024 (APRA) was introduced this month, aiming to establish the nation’s first ever omnibus federal privacy legislation. Although now in draft form, passage and enactment of the APRA remains some time away, especially given an election year.

Overview

The APRA would establish a national baseline for consumer data privacy rights and security, mandating transparency for covered entities and consumer rights to delete and opt out. The law would set a ceiling on data collection and use by default, establishing data minimization principles only for limited and necessary established purposes. Discrimination against consumers via covered data would be prohibited, and so would use of algorithms to determine consequential decisions for consumers like offering housing or education. Sensitive covered data transfers would require affirmative prior consent. Finally, the APRA would create enforcement by individual private consumers, creating a private right of action unique to the federal privacy space. This would be in addition to state agencies and the FTC. The APRA would also likely preempt similar state privacy laws

Here are some noteworthy features of the APRA:

• Private Right of Action. Data subjects may seek private civil enforcement of the APRA, including recovery of attorneys’ fees and costs, actual damages, and declaratory and injunctive relief.
• Prohibition on Arbitration for Claims Involving “Significant Privacy Harm.” Victims of APRA violations under the age of 18 or involving a claim of at least $10,000 and/or involving protected class discrimination may seek to void any pre-dispute arbitration agreement. Moreover, the APRA provides that the applicability of arbitration will be decided by federal courts and not private arbitrators.
• Retaliation. Covered entities cannot deny a consumer services or provide different rates based on exercising rights under the APRA, including waiver of rights.
• Preemption. APRA includes preemption provisions that will trump similar state laws (such as California’s omnibus privacy law, the CPPA), promising uniformity in compliance to a single national standard rather than the current patchwork-like framework. Certain state non-comprehensive privacy laws (e.g., Washington’s medical privacy or Illinois’s biometric privacy laws) are expected to stand.
• “Consequential Decision” Opt-Out. Individuals subject to “covered algorithms” must be given an opt-out option before such algorithm is used to make a “consequential decision,” defined as an determination or an offer (including advertising) for housing, employment, education, healthcare, insurance, credit opportunities, and public accommodation.
• FTC and State Enforcement. In addition to private litigants, the APRA will be enforced publicly by the FTC and the state attorneys general (or other authorized state agency).
• Data Minimization Principles. APRA enumerates a set of permissible reasons for collecting, processing, transferring, and retaining any personal data.
• Affirmative Express Consent for Data Transfers. Litigants can bring claims not only for data breaches, but also for data transfers not made with “affirmative express consent” by the data subject.
• Cure Period. Litigants must first provide offending entities a 30-day notice period to cure alleged violations of the APRA, unless a claim involves “substantial privacy harm.”
• Executive Accountability. “Large data holders” must designate separate privacy and data security officers. The CEO of such companies will also be required to make a certification to the FTC, attesting to the entity’s controls, policies, and procedures. “Large data holders” are defined by their revenue and amount of covered data.
• Effective 180 Days After Enactment.
• Exemptions May Apply for Entities Already Federally Regulated (e.g., HIPAA, GLBA, etc.)
• Mandates a Universal Opt-Out Mechanism, Developed by FTC. Within two years, the FTC will unveil a global “opt-out” mechanism made universal for all covered entities. The FTC will also maintain a nationwide “Do Not Collect” searchable database for data brokers.
• Data Security. Covered entities will be required to enact reasonable data security practices based on the size and complexity of the organization.
• Privacy Enhancing Technology Pilot Program. The APRA will establish an FTC organized pilot program to encourage private sector development of privacy technology, providing a “rebuttable presumption” of compliance with data security requirements of the APRA to its participants.
• FTC Guidance. The FTC will provide compliance guidelines, entitling covered entities to a rebuttable presumption of compliance with the APRA.

Another recent effort was made to pass similar legislation, the American Data Privacy and Protection Act (ADPPA), but ultimately failed in the House. The APRA may face similar challenges, but is moving forward with momentum

The APRA promises even more consumer rights and stricter controls that prior attempts at comprehensive federal privacy law. Regardless of its passage, the contents of the APRA are worth observing, as they show a trend towards more empowerment of U.S. persons to control their data in the style of the E.U.’s GDRP.

Kronenberger Rosenfeld, LLP regularly advises clients regarding privacy compliance and defends clients facing state or federal investigations or enforcement actions relating to privacy and advertising issues. Contact our firm using our online case submission form here.